Sandro "guly" Zaccarini found a critical vulnerability in Aerohive HiveManager Classic 8.1r1. The vulnerability allows a local unprivileged user, normally restricted in a Tenant-environment, to execute code on underlying system.

Pasquale "sid" Fiorillo found a critical vulnerability in QNAP QTS allowing the recovery of the Domain Admin password. Such password is "encrypted" with XOR and the key is a single byte! Any web application or extraneous software running in your QNAP system can access such configuration file and jeopardize your entire network if the NAS uses domain authentication for it's users.

Pasquale "sid" Fiorillo found a critical vulnerability in Veeam Backup & Replication version 6, 7 and 8. At the time of writing this impact a very large of updated and outdated/legacy Veeam deployments. The vulnerability allows a local unprivileged user of a Windows guest to gain Local and/or Domain Administrator access when VeeamVixProxy is active, the de-facto default in VMWare and Hyper-V environments.

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues
in ARC2, providing RDF and SPARQL functionalities to PHP applications and
working with MySQL as backend. Found vulnerabilities include SQL Injection
and XSS.

Simone "negator" Onofri found multiple issues in a nice image gallery script
that was going to use for his personal purposes, perhaps it's better to wait
a couple of releases before using this in production. Since the vendor was not
responsive this is a forced release. Found vulnerabilities include Blind SQL
Injection and XSS.

Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi found multiple
vulnerabilities in Vtiger CRM 5.2.0, a software we already audited in the past.
High impact (for a web application) findings include a Remote Command
Execution issue (thanks to a possible bypass in the file upload extension
blacklist) and a Local File Inclusion that can be exploited by unauthenticated
users. Two separate Cross Site Scripting issues have been found, the first on
the login.

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

Jetty is a pure Java application server used by big players like Google (Google AppEngine, Google Web Toolkit) and many projects and products like Eclipse, Alfresco Developers, Bea WebLogic Business Connect and WebLogic Event Server, Cisco Subscriber Edge Services Manager, Sybase EAServer, Apache Geronimo, HP OpenView Interconnect Tools and HP Openview Self-Healing, JFox, Zimbra Desktop and others (here a more complete list http://docs.codehaus.org/display/JETTY/Jetty+Powered). Finding a bug in such a wildspread component is something definitely interesting as the exploitation scenarios are many. We were procrastinating a little too much on this advisory but a CORE advisory burned some of our research and this month we found the time to contact the vendor and follow our disclosure procedure. As always enjoy the reading!

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.